Does a Certificate of Data Destruction Release our Company of Liability?

Companies that are serious about complying with data privacy laws require data destruction vendors provide them with a Certificate of Destruction. Though proper documentation is certainly an important step in the data destruction process, it begs the question — are we still liable if data is lost?

Do not be under the impression that if you have a Certificate of Destruction in your possession, that it establishes your compliance and clears you of liability, that is not the case.

A certificate does provide a paper trail, and establishes that you exercised some due diligence, but trying to do the right thing isn’t enough to help you escape liability if your data ends up in the wrong hands. This is why it’s important to select a data destruction vendor and process that goes a step beyond.

What is a Certificate of Hard Drive Destruction?

A certificate of data destruction is a document from a vendor that states digital media has been destroyed. The document can be as simple as a single sentence stating that computer hard drives have been destroyed to an extremely detailed document complying with NIST 800-88 specifications. A detailed certificate of data destruction from a vendor certified by NAID has more value than a simple statement from an electronic recycling company.

The truth is that most Certificates of Destruction contain signatures by people claiming to have provided the service. However, compliance and liability associated with data privacy laws requires much more than a piece of paper to prove that data has been properly completed. There’s no doubt that you should expect to be given a Certificate of Destruction – they are legitimate and important documents. But on their own they simply don’t provide you with the absolute proof that you need if a question arises.

How to Enhance a Certificate of Destruction

Rather than relying upon a company’s assertions and a piece of paper, there are three basic things that will provide you with complete confidence when it comes to data destruction. These are:

On-Site Data Destruction – If you want absolute certainty that your data has been destroyed, insist that the process is done on-site in a way that you and your employees are able to witness and verify. This eliminates all opportunities for your data to be accessed by an outsider.

NAID Certification – There are a number of companies that offer data destruction but who have not been certified by the NAID. By choosing a company that has NAID Certification, you are choosing an organization that understands and complies with the requirements that data privacy laws establish.

Physical Destruction – The single best way to guarantee that your data has been destroyed is to have it physically shredded. Though there are many companies that offer to erase your drives and then recycle them, it is important to understand that this means that they will be reselling them, leaving you open to the possibility of data that has not been properly erased falling into the wrong hands and leaving you open to liability.

At E-Waste Security, we go far beyond providing a certificate of hard drive data destruction by providing comprehensive on-site physical shredding services. Both the Department of Defense and the NIST agree that physically shredding hard disk drives is the most secure form of data destruction, and when the data destruction is done on-site it provides your organization with complete confidence that the data has been permanently and irrevocably destroyed. If you do not seek physical shredding and simply rely on a vendor providing you with a Certificate of Destruction you leave yourself vulnerable.